Experts Keep an Eye on Six Flags Biometric Ruling’s Impact on Businesses

The case, involving the fingerprint of a 14-year-old boy in Illinois that was captured by Grand Prairie-based Six Flags Entertainment Corp., puts businesses on alert about how to handle biometric information.

Many businesses in Texas are capturing and keeping biometric information, but a recent ruling by the Illinois Supreme Court against Grand Prairie-based Six Flags Entertainment Corp. could have an impact on how businesses nationwide collect and keep that data.

The use of biometric identifiers like fingerprints or iris scans can lead to more accurate identification of customers or employees, businesses say, but legal experts say the ruling boils down to simple words of caution for companies—know the law.

The Illinois case was filed by Stacy Rosenbach, who claimed that Six Flags scanned and kept the fingerprint her then 14-year-old son gave when he picked up a season pass to the Six Flags Great America park in Gurnee, Illinois, during a group trip. The scan was part of a national policy that Six Flags instituted in 2014 as a security procedure for pass holders to enter and exit its parks.

The mother said she did not give Six Flags permission to collect and store her son’s fingerprints.

Six Flags argued that for her to be a “person aggrieved,” Rosenbach would need to demonstrate the collection of the biometric information resulted in some form of injury. Six Flags Entertainment is the parent company of Six Flags Over Texas, and it has not commented on the case.

No actual harm is required, court rules

In its ruling, the Illinois Supreme Court reversed an appeals court ruling that the violations alleged in the lawsuit over the state’s strict Biometric Information Privacy Act, passed by the Illinois Legislature in 2008, were just “technical” in nature and didn’t constitute harm under the statute.

The court said that procedural protections are important because biometric identifiers can’t be changed if compromised, and that the private right of action is the only available enforcement mechanism. No actual harm was required for a claim to made, the court said.

Matt Todd

“The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action,” the court ruled. An article in the National Law Review posited that the ruling could open the floodgates to new class-action lawsuits in Illinois.

“If you do business in Illinois, then you should be paying close attention to what is happening there,” he said, noting the Illinois statute and the Texas Biometric Privacy Law are two of the nation’s toughest.

“These two statutes are considered among the two most strict in the nation,” Todd said.

What is a biometric identifier?

In Texas, a “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or a record of hand or face geometry, and that information can’t be captured for a commercial purpose unless the person is informed beforehand, and the business receives the person’s consent to capture it.

“If a Texas business is even thinking about collecting biometric information, they should become familiar with the statute,” Todd said.

“If a Texas business is even thinking about collecting biometric information, they should become familiar with the statute.”Matt Todd

A major differences between the Illinois and Texas laws is who can file for legal action and that, in Texas, damages aren’t an issue.

In Illinois, the case was filed by the mother of young boy. In Texas, only the state’s attorney general can file an action, Todd said.

And unlike in Illinois where damages were an issue in the litigation, in Texas any violation is subject to a civil fine of up to $25,000 for each violation that goes to the state.

Texas’ statute—enacted in 2009—defines a time limit in which collected biometric data must be destroyed.

The business, “shall destroy the biometric identifier within a reasonable time, but not later that the first anniversary of the date the purpose for the collecting the identifier expires…,” the law requires.

If the identifier is collected in Texas for the purpose of employment, the law notes that purpose of collection is presumed to expire on the date that employment ends.

Todd said that data breaches have been a concern for the collection of biometric identifiers since the laws went into effect.

And, Todd noted, the Texas law does not apply to voiceprint data kept by financial institutions or their affiliates. That is covered under federal law.

Get on the list.
Dallas Innovates, every day.

Sign up to keep your eye on what’s new and next in Dallas-Fort Worth, every day.

The IoT expert says North Texas' concentration of industry producers has "long enabled the innovation potential of the convergence of communication, community, and computation." Here are Brody's tech predictions for the future.